+# @summary A Concourse workre
+# Declared as a class, since the upstream documentation explicitly states
+# that multiple workers on a single node is nonsensical. This may however
+# change in future versions of this module, since you the option to limit
+# a worker to a specific team or tag exists, and linux can limit the amount
+# of resources given to a given process (this gets even easier through systemd,
+# which the module currently uses extensively).
+# @param key_dir
+# Directory in which keys should be stored.
+# @param worker_key_file
+# File in which the worker's public key should be stored
+# @param worker_private_key_file
+# File in which the worker ns private key should be stored.
+# @param cluster
+# Which concourse cluster this worker should be part of.
+# @param service
+# Name of the worker service
+# @param service_unit
+# Name of the (systemd) service unit for the worker.
+# @param ensure
+# @param work_dir
+# Working directory for the worker.
+# @param tsa_host
+# Network address to the master (web) node that this worker should connect to.
+# @param tsa_public_key
+# Public key of this workers master.
+# @param worker_public_key
+# Public key of this worker. Only used if `$manage_private_key` is
+# false, otherwise a key will be automatically generated.
+# public key exported as a fact.
+# @param worker_private_key
+# Private key of this worker. Like `worker_public_key`, will only
+# be used if `$manage_private_key` is false. This value will however
+# *not* be exported.
+# @param manage_private_key
+# Should this node manage and generate its own public key. If true
+# (the default) then a key will automatically be generated, and the
+# public portion exported as a fact.
+# @param export_public_key
+# Should an exported resource with this nodes public key be created.
+# This reads the fact from `$worker_public_key` and creates an exported
+# resource of type `concourse::worker_key`, which will allow the master
+# to realize it.
+# @param tag
+# List of arbitrary tags to connnect to this worker. Can be used by
+# pipelines which requires specific environments.
+# @param team
+# Limit this worker to a specific team.
+# @param healthcheck_bind_ip
+# Address to bind the healthcheck endpoint to.
+# @param healthcheck_bind_port
+# Port to bind the health endpoint to.
+# @param healthcheck_timeout
+# Timeout for health check.
+# @param extra_env
+# A hash of extra environment variables which will be passed directly
+# to the worker process.
+class concourse::worker (
+ Std::AbsolutePath $key_dir = '/usr/lib/concourse',
+ Std::AbsolutePath $worker_key_file = "${key_dir}/worker_key",
+ Std::AbsolutePath $worker_private_key_file = "${worker_key_file}.pub",
+ String $cluster = $concourse::default_cluster,
+ String $service = $concourse::worker_service,
+ String $service_unit = "${service}.service",
+ Enum['absent', 'present'] $ensure = 'present',
+ String $work_dir = $concourse::worker_work_dir,
+ String $tsa_host = lookup("concourse::${cluster}::tsa_host"),
+ String $tsa_public_key = lookup("concourse::${cluster}::tsa_public_key"),
+ Optinal[String] $worker_public_key = undef,
+ Optinal[String] $worker_private_key = undef,
+ Boolean $manage_private_key = $worker_private_key == undef,
+ Boolean $export_public_key = true,
+ Optional[Array[String]] $tag = undef,
+ Optinal[String] $team = undef,
+ String $healthcheck_bind_ip = '',
+ Stdlib::Port $healthcheck_bind_port = 8888,
+ String $healthcheck_timeout = '5s',
+ Hash[String, Any] $extra_env = {},
+) {
+ ensure_packages([
+ 'concourse',
+ ])
+ if $manage_private_key {
+ exec { 'Concourse generate worker key':
+ command => ['concourse', 'generate-key', '-t', 'ssh', '-f', $worker_key_file],
+ creates => $worker_private_key_file, # and worker_key_file
+ path => ['/sbin', '/usr/sbin', '/bin', '/usr/bin',]
+ }
+ } else {
+ file { $worker_key_file:
+ content => $worker_public_key,
+ }
+ file { $worker_private_key_file:
+ mode => '0600',
+ content => $worker_private_key,
+ }
+ }
+ if $export_public_key {
+ @@concourse::worker_key { "${facts['trusted']['certname']} worker key":
+ content => $facts['concourse_worker_key'],
+ cluster => $cluster,
+ }
+ }
+ systemd::unit_file { $service_unit:
+ ensure => $ensure,
+ soruce => "puppet:///modules/${module_name}/concourse-worker.service",
+ } ~> service { $service:
+ ensure => if $ensure == 'present' { 'running' } else { 'stopped' },
+ enable => true,
+ }
+ $env = {
+ 'CONCOURSE_WORK_DIR' => $work_dir,
+ 'CONCOURSE_TSA_HOST' => $tsa_host,
+ 'CONCOURSE_TSA_PUBLIC_KEY' => $tsa_public_key,
+ 'CONCOURSE_TSA_WORKER_PRIVATE_KEY' => $worker_private_key_file,
+ 'CONCOURSE_TAG' => $tag,
+ 'CONCOURSE_TEAM' => $team,
+ 'HEALTHCHECK_BIND_IP' => $healthcheck_bind_ip,
+ 'HEALTHCHECK_BIND_PORT' => $healthcheck_bind_port,
+ 'HEALTHCHECK_TIMEOUT' => $healthcheck_timeout,
+ } + $extra_env
+ file { '/etc/conf.d/concourse-worker':
+ ensure => $ensure,
+ mode => '0600',
+ show_diff => false,
+ content => epp("${module_name}/env.epp", $env),
+ }